Skip to content

Commit

Permalink
fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (o…
Browse files Browse the repository at this point in the history
…pen-telemetry#36793)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| golang.org/x/crypto | `v0.29.0` -> `v0.31.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fcrypto/v0.31.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/golang.org%2fx%2fcrypto/v0.31.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/golang.org%2fx%2fcrypto/v0.29.0/v0.31.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fcrypto/v0.29.0/v0.31.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2024-45337](https://redirect.github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909)

Applications and libraries which misuse the
ServerConfig.PublicKeyCallback callback may be susceptible to an
authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call
to this function does not guarantee that the key offered is in fact used
to authenticate." Specifically, the SSH protocol allows clients to
inquire about whether a public key is acceptable before proving control
of the corresponding private key. PublicKeyCallback may be called with
multiple keys, and the order in which the keys were provided cannot be
used to infer which key the client successfully authenticated with, if
any. Some applications, which store the key(s) passed to
PublicKeyCallback (or derived information) and make security relevant
determinations based on it once the connection is established, may make
incorrect assumptions.

For example, an attacker may send public keys A and B, and then
authenticate with A. PublicKeyCallback would be called only twice, first
with A and then with B. A vulnerable application may then make
authorization decisions based on key B for which the attacker does not
actually control the private key.

Since this API is widely misused, as a partial mitigation
golang.org/x/cry...@&open-telemetry#8203;v0.31.0 enforces the property that, when
successfully authenticating via public key, the last key passed to
ServerConfig.PublicKeyCallback will be the key used to authenticate the
connection. PublicKeyCallback will now be called multiple times with the
same key, if necessary. Note that the client may still not control the
last key passed to PublicKeyCallback if the connection is then
authenticated with a different method, such as PasswordCallback,
KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return
value from the various authentication callbacks to record data
associated with the authentication attempt instead of referencing
external state. Once the connection is established the state
corresponding to the successful authentication attempt can be retrieved
via the ServerConn.Permissions field. Note that some third-party
libraries misuse the Permissions type by sharing it across
authentication attempts; users of third-party libraries should refer to
the relevant projects for guidance.

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/open-telemetry/opentelemetry-collector-contrib).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS41OC4xIiwidXBkYXRlZEluVmVyIjoiMzkuNTguMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwicmVub3ZhdGVib3QiXX0=-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: opentelemetrybot <[email protected]>
  • Loading branch information
renovate[bot] and opentelemetrybot authored Dec 12, 2024
1 parent 964a652 commit 783c00a
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 22 deletions.
6 changes: 3 additions & 3 deletions receiver/podmanreceiver/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ require (
go.uber.org/goleak v1.3.0
go.uber.org/multierr v1.11.0
go.uber.org/zap v1.27.0
golang.org/x/crypto v0.29.0
golang.org/x/crypto v0.31.0
)

require (
Expand Down Expand Up @@ -51,8 +51,8 @@ require (
go.opentelemetry.io/otel/sdk/metric v1.32.0 // indirect
go.opentelemetry.io/otel/trace v1.32.0 // indirect
golang.org/x/net v0.28.0 // indirect
golang.org/x/sys v0.27.0 // indirect
golang.org/x/text v0.20.0 // indirect
golang.org/x/sys v0.28.0 // indirect
golang.org/x/text v0.21.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect
google.golang.org/grpc v1.67.1 // indirect
google.golang.org/protobuf v1.35.2 // indirect
Expand Down
16 changes: 8 additions & 8 deletions receiver/podmanreceiver/go.sum

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions receiver/sshcheckreceiver/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ require (
go.opentelemetry.io/collector/scraper v0.115.1-0.20241206185113-3f3e208e71b8
go.uber.org/goleak v1.3.0
go.uber.org/multierr v1.11.0
golang.org/x/crypto v0.29.0
golang.org/x/crypto v0.31.0
)

require (
Expand Down Expand Up @@ -67,8 +67,8 @@ require (
go.opentelemetry.io/otel/trace v1.32.0 // indirect
go.uber.org/zap v1.27.0
golang.org/x/net v0.29.0 // indirect
golang.org/x/sys v0.27.0 // indirect
golang.org/x/text v0.20.0 // indirect
golang.org/x/sys v0.28.0 // indirect
golang.org/x/text v0.21.0 // indirect
google.golang.org/grpc v1.67.1 // indirect
google.golang.org/protobuf v1.35.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand Down
16 changes: 8 additions & 8 deletions receiver/sshcheckreceiver/go.sum

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 783c00a

Please sign in to comment.